encounter/dawn-cmake
1
0
Fork 0
mirror of https://github.com/encounter/dawn-cmake.git synced 2025-05-13 10:51:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
dawn-cmake/docs/fuzzing.md
Austin Eng 97fb51f4af Add script to generate fuzzer seed corpus from tests 
This adds a script which runs the end2end_tests, captures a wire trace,
and then minimizes the corpus with the fuzzer. Minimizing the corpus
requires libfuzzer, so this only works in a Chromium checkout.

Unseeded, the fuzzer starts with coverage of about 600 features.
Using a seed corpus captured from the tests, the fuzzer quickly
increases coverage to about 10,000 features.

Change-Id: I8d0db5121745bd5ee4a350cf46fb37cfa434e3dc
Bug: dawn:295
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/14242
Commit-Queue: Austin Eng <enga@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
2019-12-13 01:27:31 +00:00

1.5 KiB
Raw Blame History

Fuzzing Dawn

dawn_wire_server_and_frontend_fuzzer

The dawn_wire_server_and_frontend_fuzzer sets up Dawn using the Null backend, and passes inputs to the wire server. This fuzzes the dawn_wire deserialization, as well as Dawn's frontend validation.

Updating the Seed Corpus

Using a seed corpus significantly improves the efficiency of fuzzing. Dawn's fuzzers use interesting testcases discovered in previous fuzzing runs to seed future runs. Fuzzing can be further improved by using Dawn tests as a example of API usage which allows the fuzzer to quickly discover and use new API entrypoints and usage patterns.

The script update_fuzzer_seed_corpus.sh can be used to capture a trace while running Dawn tests, and merge it with all existing interesting fuzzer inputs.

To run the script:

  1. Make sure gcloud is installed: https://g3doc.corp.google.com/cloud/sdk/g3doc/index.md?cl=head

  2. Login with @google.com credentials: gcloud auth login

  3. You must be in a Chromium checkout using the GN arg use_libfuzzer=true

  4. Run ./third_party/dawn/scripts/update_fuzzer_seed_corpus.sh <out_dir> <fuzzer> <test>.

    Example: ./third_party/dawn/scripts/update_fuzzer_seed_corpus.sh out/fuzz dawn_wire_server_and_frontend_fuzzer dawn_end2end_tests

  5. The script will print instructions for testing, and then uploading new inputs. Please, only upload inputs after testing the fuzzer with new inputs, and verifying there is a meaningful change in coverage.